Network Deployment

You can deploy the Sophos Web Appliance in a variety of configurations, depending on the requirements of your organization and your existing network architecture.

Basic Deployment Options

Three basic network deployments are possible for the Sophos Web Appliance:

  • Explicit Deployment: All client web browsers are explicitly configured to use the appliance, although this can be done centrally by using distributed Active Directory Group Policy Objects (GPO). Explicit Deployment also supports FTP over HTTP.
  • Transparent Deployment: The firewall or router is configured to redirect port 80 and port 443 traffic through the Web Appliance. In this mode, web traffic filtering is transparent to users, who only see evidence of the Web Appliance if they attempt to connect to certain URLs and are presented with a notification page.
  • Bridged Deployment: All outbound network traffic is routed through the Web Appliance's bridge card, but only port 80 and port 443 traffic is examined. This deployment requires the optional bridge card included with some appliance models. With a Bridged Deployment, network traffic continues to flow in the event of an appliance failure.

Alternative Deployment Options

There are three additional deployments that allow the Web Appliance to work with some common network topologies. You may want to use one of the following, depending on the structure of your existing network.

  • Bypass for Internal Servers: Allows clients to access specific internal servers directly. This is recommended for use with Explicit Deployment.
  • Use with an Existing Cache: Allows the Web Appliance to work in conjunction with a pre-existing investment in a web-caching server in any one of the three basic network deployments (Explicit, Transparent, or Bridged).
  • Use with an ISA/TMG Server: Allows the Web Appliance to work with a downstream or upstream Microsoft Internet Security and Acceleration (ISA) or Microsoft Forefront Threat Management Gateway (TMG) Server in any one of the three basic network deployments (Explicit, Transparent, or Bridged).

Network Deployment Recommendations

It may be necessary to make additional adjustments to accommodate the requirements of your network.

If Active Directory integration is not enabled, the Web Appliance allows connections from any user or computer that can access it. This means that it could allow people from outside of your organization to use your Web Appliance as a proxy, consuming your bandwidth and creating traffic that appears to come from your organization. Sophos strongly advises that you take the following steps to prevent this:
  1. Configure your firewall to prevent inbound connections to the Web Appliance from outside your network. The Web Appliance does not require that any inbound ports be open for external traffic.
  2. Configure the Web Appliance to accept requests only from your own network. To do this:
    1. Select Configuration > Group Policy > Default Groups.
    2. Create a custom user group consisting of all your internal subnets and add this group to the Selected groups list.
    3. Select the Only the users/groups selected below option, and click Apply.

Configure your firewall to allow email with attachments from the Web Appliance to This is necessary information for Sophos, which uses system status snapshots that you submit as email attachments to ensure that your Web Appliance is operating within acceptable thresholds.

Network Deployments Comparison Table

The following table presents the key characteristics of each basic supported deployment scenario. For details of each, see the sections that follow.

  Explicit Deployment Transparent Deployment Bridged Deployment
WCCP Integration No Yes n\a
Web Appliance Traffic Performance Only carries web traffic Only carries web traffic Carries all outbound traffic
Network Configuration Configure all clients Configure firewall or router Configure only Web Appliance
Post-Failure Reconfiguration Configure all clients Configure the firewall or router Power down Web Appliance
If you use the Transparent or Bridged deployment, see Switching from Transparent Mode to Explicit Mode or Switching from Bridged Mode to Explicit Mode to learn about making the transition to Explicit Deployment.